As the next-generation communication technology, wireless portable Internet access further provides mobility to a local data communication system such as a conventional wireless Local Area Network (LAN) using a stationary access point (AP).
There are various standard protocols that have been developed for supporting the wireless portable Internet access, and the IEEE 802.16 working group tries to establish an international standard of the wireless portable Internet protocol.
The authentication and authorization standard defined by the IEEE 802.16 establishes authentication functions for stations in the wide area network configured with wireless networks. In particular, since the subscriber station (SS) authentication function standardized by a privacy layer of the IEEE 802.16 is defined only for SSs within a fixed network, it is inappropriate for the authentication function to apply SSs or subscribers to be capable of supporting mobility, which is a current trend of mobile services. That is, since the authentication function does not specify detailed functions in a base station (BS) which describes messages and procedures for authenticating the subscriber stations on the basis of the fixed networks, additional functions of the base station are required for the mobile services. The requirement of additional functions requires the base station to have profiles of all subscribers who currently receive services, and the same requires a function of API for the CA interface or a function of accepting authentication clients for interface with an authentication server when the base station does not have the profiles.
Also, since the conventional authentication for the subscriber stations on the fixed network is based on digital certificates, the conventional authentication process is restricted to servers which perform certificate-based authentication when a user accesses an authentication server to be authenticated, and the conventional authentication process needs other improved functions for security of the base station since the conventional standard defines that the base station distributes a security key between the subscriber station and the base station.
FIG. 1 is a schematic diagram showing the outline of a wireless portable Internet system.
As shown therein, the wireless portable Internet system basically includes a subscriber station 10, base stations 20 and 21 performing wireless communication with the subscriber station 10, and routers 30 and 31 connected to the base stations 20 and 21.
The wireless LAN method such as the conventional IEEE 802.11 provides a data communication method which allows short-range radio communication with reference to fixed access points, which provides no mobility of the subscriber station (hereinafter, referred to as “SS”) but which supports wireless short-range data communication other than wired short-range data communication.
Meanwhile, a new wireless portable Internet system currently progressed by the IEEE 802.16 working group is designed to provide the mobility to the SS so as to provide a seamless data communication service when the SS 10 moves from one cell covered by a base station 20 manages to another cell covered by an associated base station 21 (refer to FIG. 10).
The IEEE 802.16 is a standard protocol supporting metropolitan area network (MAN) covering data communication within a metropolitan-sized area between the local area network (LAN) and the wide area network (WAN).
Hence, the wireless portable Internet system supports a handover of the SS 10 and allocates a dynamic IP address corresponding to the movement of the SS in a like manner of mobile communication service.
In the wireless portable Internet system, the SS 10 communicates with the base stations 20 and 21 by employing the OFDMA (Orthogonal Frequency Division Multiple Access) method. The OFDMA is a multiplexing method that combines the time division multiplexing (TDM) method and the frequency division method (FDM) using a plurality of orthogonal frequency subcarriers as a plurality of sub-channels. The OFDMA resists multi-paths fading, and sends data at a high rate.
FIG. 2 shows a diagram for a layered protocol structure of the wireless portable Internet system shown in FIG. 1.
As shown in FIG. 2, the layered protocol structure of the IEEE 802.16 wireless portable Internet system includes a physical layer L10, and Media Access Control (MAC) layers L21, L22, and L23.
The physical layer L10 performs a wireless communication function including modulation/demodulation, and coding, etc., that have been typically provided by a physical layer.
Further, the wireless portable Internet system performs various functions using a single MAC layer compared to a wired Internet system performing functions that uses function-specific multiple sublayers.
The MAC layer has function-specific multiple sublayers: a privacy sublayer L21, a MAC common part sublayer L22, and a service-specific convergence sublayer L23.
The privacy sublayer L21 provides both authentication and encryption functions, and allows overlapping keys so that keys can be updated without interrupting the flow of data.
However, the privacy sublayer L21 provides authentication for secure network access and connection establishment to avoid theft of services, and also provides key exchange and encryption for data privacy. However, it authenticates a system only, and user authentication is provided by an upper layer (not shown) of the MAC layer.
The MAC common part sublayer L22 carries the key functions. It provides system access, bandwidth allocation, connection establishment, and connection maintenance. The MAC common part sublayer L22 also manages quality of service (QoS).
The service specific convergence sublayer L23 provides payload header suppression and QoS mapping for a constant flow of data.
FIG. 3 shows a block diagram for a traffic structure between the base station 20 (hereinafter, referred to as “BS”) and the subscriber station 10 in the wireless portable Internet system shown in FIG. 1.
As shown in FIG. 3, the MAC layer of the subscriber station 10 is connected to the MAC layer of the base station 20 through a traffic connection C1.
Herein, the “traffic connection C1” is a logical connection rather than a physical connection, and represents a mapping relationship between equivalent peers in the MAC of the SS and the BS for traffic transmission through each service flow.
Accordingly, parameters or messages defined in the traffic connection C1 state define functions between the MAC peer layers, and actually, the parameters or the messages are processed into frames and transmitted through the physical layer, and the frames are analyzed so that the functions corresponding to the parameters or the messages are performed in the MAC layer.
These messages further include various messages to perform request REQ, response RSP and acknowledgement ACK functions.
Meanwhile, to provide the subscribers with a security-proof network and fair service, the IEEE 802.16 wireless portable Internet system provides an encryption of traffic data which is regarded as a critical requirement for security and safety of networks, recently.
The conventional IEEE 802.16 wireless portable Internet system defines a method of generating and distributing a traffic encryption key to be used for security on a traffic connection so as to encrypt traffic data prior to establishing the traffic connection. According to this method, the SS and the BS use PKM-REQ (Privacy Key Management-Request) message and PKM-RSP (Privacy key Management-Response) message so as to generate and distribute a traffic encryption key. Herein, the PKM-REQ message and the PKM-RSP message are related to authentication. In other words, the SS sends a Key Request message, which is an internal message of the PKM-REQ messages, to the BS to request a traffic encryption key from the BS, and the BS sends a responding message to the SS. In detail, the BS sends a Key Reply message to the SS when the refreshment of the traffic encryption key is successful or a Key Reject message to the SS when the refreshment of the traffic encryption key is failed. The traffic encryption key is newly generated and distributed throughout the foregoing method, and the SS and the BS encrypt traffic data for transmission using the traffic encryption key.
However, such a conventional method for generating and distributing a traffic encryption key defined by the IEEE 802.16 wireless portable Internet system is limited to the unicast service between the SS and the BS.
However, the multicast service and the broadcast service also must be taken into consideration in the IEEE 802.16 wireless portable Internet system so as to provide extendable and secure services to a large number of subscribers.
Further, in the case of providing a multicast service or a broadcast service in the IEEE 802.16 wireless portable Internet system, special regard must be paid to some matters related to traffic data encryption. In other words, the service must be provided with proper restrictions for unauthorized users for the multicast service or the subscribers of other service providers for the broadcast service. However, the current standard does not clearly define such a restriction.